I realize that OpenID is far from an ideal solution. But right now, the one-login-per-website problem is so bad that I am willing to accept these tradeoffs for a partial worse is better solution. There’s absolutely no way I’d put my banking credentials behind an OpenID. But there are also dozens of sites that I don’t need anything remotely approaching banking-grade security for, and I use these sites far more often than my bank. The collective pain of remembering all these logins — and the way my email inbox becomes a de-facto collecting point and security gateway for all of them — is substantial.

So if we are evangelizing OpenID to some degree, it is because I would rather be part of the solution than yet another brick in the wall of the problem. Even if it involves a tiny bit of short-term friction. Be the change you want to see, right?

In the almost two years since we began using OpenID, that tiny bit of friction has gotten progressively smaller:

Google began fully supporting OpenID. This was (and is) huge. As you can see from these meta stats, Google is by far our largest OpenID provider at 61% of all registered accounts.

Microsoft announced OpenID support. Although there was a beta, and beta live.com OpenIDs were used on our website — the current state of their OpenID support is in limbo. Still, being Microsoft, their official (though technically nonexistent, and I’m sure trapped in strategy tax hell) support legitimizes OpenID as a standard.

Most client implementations of OpenID have switched from “enter your OpenID URL” to “click the logo of the company that provides your identity”. OpenID was frequently criticized for being too URL-centric when the user identity world is email-centric, so this is a significant usability improvement.

We implemented support for up to two OpenID providers per user. This flexibility turns out to be important, so you can switch out or change the OpenID identities in your virtual wallet as you see fit. It’s handy to have a backup form of identity “on you”, just like in real life.

The trend is certainly encouraging.

However, there have also been a few things that happened which illustrate the risks of OpenID, too:

Several lesser providers (Technorati, Vidoop, Mozilla Weave) went belly-up, leaving their users stranded with no way to authenticate.

Occasionally OpenID providers will have bugs or service outages — even big ones like Yahoo. Fortunately this is quite rare, but it does happen, and troubleshooting it can be a pain precisely because it’s open and decentralized, and there are three parties involved — the website, the user, and the OpenID provider.

The OpenID protocol itself can be implemented in unusual or incomplete ways by different providers. This leads to challenges for us, but fortunately we have an excellent dialog with Andrew Arnott, the primary author of the open source DotNetOpenAuth library we use. We support the project financially and also try to contribute as many bugfixes as possible, so OpenID can get better for everyone.

There are certainly challenges, and although I am open to alternative login mechanisms, particularly for Stack Exchange, I’m still bullish on OpenID. We have to keep move forward on fixing the login explosion problem, because the status quo sucks.

To that end, we’re continuing to refine our implementation.

Although I listed Google supporting OpenID as my #1 improvement since we began using OpenID, their support also contains a bit of a poison pill — Google GMail OpenIDs are specific to the domain you create them on. In other words, the same GMail OpenID used on stackoverflow.com, serverfault.com, and superuser.com results in three different OpenID URLs being created. This is completely by design, but I should note that no other OpenID provider to date has done this except Google. To their credit, they do offer proper named OpenIDs now in the form of Google Profile OpenIDs, but this does nothing to fix the status quo for GMail OpenIDs.

That’s a major bummer for site networks like us with multiple domains. We use the OpenID string as your user “fingerprint”, so if your “fingerprint” changes, we can’t tell who you are any more. It’s a frustrating problem, but we think we’ve finally come up with a fix: we demand email from Google GMail OpenIDs!

If we have an email address from a verified OpenID email provider (that is, an OpenID from a large email service we trust, like Google or Yahoo), then it’s guaranteed to be a globally unique string. We treat this as part of the identifying user token, attached only at login time, that is not editable by the user.

So our cross-site user account matching now works this way:

Match by GUID. This is something we generate and assign during account association, so it’s a perfect fingerprint.

match by OpenID URL. This works for the vast majority of OpenID providers.

match by OpenID provided email address … if you are on our trust whitelist. This works for those rare OpenID providers (currently, only Google GMail) who generate domain-specific identifiers.

This satisfies all known OpenID providers, so we can now potentially associate your accounts, across all of our websites, automatically. You’ll still have to log in, of course, but the login itself could trigger account association for every site in the network.

There is one, and only one downside: we must demand email from Google OpenIDs. Email is not usually required to use our sites, but you can’t log in via Google if you refuse to provide email to us. You can always switch OpenID providers, of course, but we regretfully must make the email demand mandatory in the case of Google.

Still, given the overwhelming dominance of Google OpenIDs, we think that’s a major improvement, and only a minor tradeoff.

33 Comments

Well done Jeff. Your decision to go with OpenID has only helped OpenID develop into something great.

My decision to adopt OpenID for my own site came about simply because by the time I was ready to do it, Google had added support for it, and there were clever OpenID selector interfaces out there ready for me to use. And of course, just as you use the DotNetOpenAuth project, so do I.

One nice feature of OpenID that I use is the ability to delegate the openID verification. So I can set up my own domain name, and then put a tiny bit of XML on that page that tells the site (like stackoverflow) to go to some other openid Provider (in my case MyOpenID). The big plus is that I have complete control over my Open ID account. If MyOpenID goes down, I can just switch to another provider. I think anybody who has their own domain name should go for this option.

I think it’s a bit weird that in some ways the trilogy sites are run as one (abiliy to move questions), but at treated seperately (logins, profiles) in other ways. I assume it’s a deliberate decision to not consolidate logins, but it is a useability PITA to have to log in up to 4 times when you use a new machine.

The Gmail login fix especially seems like a kludge. Is there any reason you didn’t use cross-site requests to detect if a user is logged in on any of the sites and automatically log them in?

I too am a big supporter of DotNetOpenAuth (not financially) but think not having to reinvent the wheel that it has become my defacto standard for OpenID support in the .Net space

Additionally i think Open ID is the shiz… not having an \account\ in 100 places makes it so much easier to get access to something without having to worry so much about telling them who you are all the time and keeping that information updated.

SO’s support of Open ID was one of my main reasons for getting so active – it makes it so easy for someone drifting by in the QA world to contribute

Great write-up. I just came from an OpenID Summit near San Jose, CA and we have some great ideas filling the spec development pipe that will hopefully resolve some of the remaining issues you have with OpenID.

One year later and I *still* haven’t signed up for StackOverflow. The OpenID paradigm still seems overly complicated and ties me to all kinds of other providers and systems. What’s great about a username and password is it’s simple, and obvious, and familiar. My browser saves my username and password information (and syncs it to the cloud) making it no fuss at all.

> We have to keep move forward on fixing the login explosion problem, because the status quo sucks.

OpenID sucks as well. So you might not be part of one problem, you’re just part of another. Either way, mandating this craziness is bound to turn off some users, myself included.

> What’s great about a username and password is it’s simple, and obvious, and familiar.

So are horses, but I’d rather build roads for cars.

> The requirement to switch out to another site to log into StackOverflow

You don’t, though — once the one-time cookie is set, you never have to think about it. It’s really quite effortless, at least through the major providers (Google, Yahoo, MyOpenID).

Also, if you’re really gung ho about never getting with this crazy communist tinfoil hat OpenID stuff, you can still participate without ever registering. And, the login page will now let you recover your cookie for the unregistered account, provided you’ve given us a valid email address.

However, why do you “demand” an email address of Google OpenID users. I think this is an invasion of privacy. If a user chooses to have different identities on StackOverflow and SuperUser, I consider that his/hers decission.

Why not offer the choice to the user: if you want to link StackOverflow sites to one and other, you need to supply an email address.

The only reason I can think of (I don’t buy the usability defence), is commercial (ads and stuff).

Um… I’m one of your gmail openID users, and you have my e-mail, but you won’t be able to match it up. Why? Because I use the emailname+sitename@gmail.com whenever I sign up for a new service. Now I could change that maybe, but if I want different gravatars on the sites (and I have a different one I like on meta and another on serverfault) I have keep the e-mail addresses distinct.

Doesn’t work for me, and as far as cookies go – I have them deleted every time I close my browser.

I don’t keep a history and I don’t keep cookies. It’s a security issue for me. We are being tracked all over the internet I leave plenty of digital crumbs to pick up, but I honestly believe too much harm is being done, even by those that claim to do no evil.

I tried the openId and I never was able to get it to work a second time, to be honest I didn’t put that much effort into it because it’s just not worth it.

You might be surprised at how many people walk away because of the pain in the ass factor.

You may love it, you may believe it’s the best thing on Earth, hell it may be the best thing on Earth, but when it comes to users if they don’t get on board, you lose anyway. Being right doesn’t mean you win.

> Um… I’m one of your gmail openID users, and you have my e-mail, but you won’t be able to match it up. Why? Because I use the emailname+sitename@gmail.com whenever I sign up for a new service.

Google sends back your actual email address, which is stored in a database column that is only writable at login time and cannot be edited by anyone; the editable email you change is in a different column.

> In other words, you’ve had to special-case a specific OpenID provider. Remind me again why this is better?

It is a bit of a special case (more of a trust whitelist, really) but when you’re dealing with the 800 lb gorilla of OpenID, that’s just how the world works. When Google moves, you move. Or you get crushed.. same with anyone in the Apple, Microsoft, etc ecosystem.

> You might be surprised at how many people walk away because of the pain in the ass factor.

Walk away from what? The fact that we offer completely unfettered anonymous participation, like Wikipedia? There’s nothing to walk away *from*. Heck, as long as you’re willing to juggle a browser cookie in pepetuity you could stay an unregistered user and generate 50k+ in rep.

I don’t want to use OpenID because it means my data is held hostage by at least 2 parties: StackOverflow itself, and my OpenID provider. As you mentioned, if your OpenID provider folds (or simply decides not to provide the service anymore), you’re kind of screwed.

Sure you can add a *second* OpenID identity, but the average user won’t think of doing that until after the first is already down– meaning, after it’s already too late.

I mean, look…
Technically: the issues above.
Usability: being redirected from site to site while logging in. Having your data made inaccessible through the actions of a third-party outside of your control.
Features: inability to combine OpenIDs. For example, if you have a LiveJournal and Google ID, and you decide you want to log into both using your Google ID, you can’t without creating a brand new LiveJournal account. (This is something you can do with *every* alternative, including Passport.)

Sure you can *fix* these problems by paying for a domain name, web server and knowing XML, but see the “usability” point above.

I get what you’re saying about managing logins, and how it sucks. But there *has* to be something better than OpenID… OpenID is awful. So, so many problems. And the more people implement OpenID in its current (sucky) form, the less likely it is it’ll ever be improved due to momentum.

Even more annoying, you’re *forcing* users of this site into OpenID because *you personally* have an issue with logins. What if I don’t have an issue with logins? What if I don’t mind using a username and password for every site? What if I *prefer* to do it that way? Nope! No choice! You’re not smart enough to make your own choice, it’s our way or the highway.

Re: “we can now potentially associate your accounts, across all of our websites, automatically” … this will be particularly useful for the new Stack Exchange “2.0″ sites that will operated by Stack Overflow. :-)

Thanks for this write up Jeff. OpenID certainly isn’t perfect, but I agree with you that once there a greater migration to cloud-delivered services, the idea that a single browser instance will or should have all of your passwords will seem quaint.

Of course your audience is more technical than the average audience, and are willing to jump through more hoops to secure their identity online. Finding the right balance of features, functionality, and privacy-preserving features is a core goal of the OpenID community.

To James Schend I’d ask if he uses a webmail provider of any kind? Or if he banks online? I certainly understand that there will always be people who don’t want to rely on others to protect or store their data, but increasingly I find that keeping data on my local harddrive just means that I have more worries about backing up my data, and that the data becomes less valuable over time because it’s harder to share.

That might just be specific to me and how I use the web, but as it is, I own my identity because I host my own OpenID. When I sign up for any new service these days, most still ask me for an email address or password — and it seems much more dangerous to use or reuse one of my rotating password than to treat them as a relying party.

I’m also bullish about OpenID — and it takes experiments like yours to tease out the opportunities to improve the technology.

It’s amazing just how much resistance there is to this technology. I happen to be one of those rare people who would *rather* use my gmail email address as *the* OpenID (ala, webfinger) –

URLs are annoying, and even though you’re providing login option buttons for major providers (Google, Yahoo, AOL, even WordPress and Blogger), so that URL handling is done natively through the “click-through” process, it makes so much more sense semantically to use an email address for what it was intended: identity.

In any case, I’ve been a major fan of stack overflow for the very adoption of OpenID. It does seem there’s much user interface/usability questions that still need to be solved (I’m a UI guy), and I wouldn’t exactly say the interface is fully intuitive (redirecting where for what?), but I’m still placing my faith in the whole process — in time we’ll develop better discovery methods, and browsers will probably hold the technology natively to make things more robust and powerful.

My ultimate opinion? There should be some standards adopted by in the HTML5 spec that utilize these new technologies: OpenID, OAuth, ActivityStreams, etc.

Superior writer, OpenID is a safe, faster and easier way to log in to web sites. with social networks websites are the new web internet there is nothing like the OpenID ideal solution for the new web.
and i’m sure there is alot more to come apps and exciting new features that will make OpenID one of the most valuable player in the world of the new internet : )

Hey Jeff, in the context of you “One Year Later” series, perhaps you could talk about LINQ2SQL and your future ORM plans. I’m a great supporter of LINQ2SQL, despite it’s kind of… abandonment, for lack of a better word. It would be cool to hear about your thoughts on it.

As a site owner, I refuse to add support for openid, it’s not my problem you have 40 passwords you have to remember. I don’t have 40 passwords only a few but I group them according to website ie one password for all forums, one password for all banking, one password for misc, etc.

I’m also not a big fan of all the increase use of third party sites ie social commenting, etc. You will never see a facebook or any other third party commenting system on my website. Site owners are giving up their ownership to third parties, that’s how America lost their mojo.

More and more sites that I want to use present the openID obstacle to me. If I really want to use the site I have to create a new email address and openID every time. This just sucks. Especially when the providers block my email address provider, have broken signup form validation and unreadable and ocassionaly broken captchas.

The larger sites won’t suffer, because they have a large audience. So alienating a small percentage won’t bother them.

Why are people so upset about using OpenID which lets them sign in with a couple of clicks? The only viable alternative is the tried & tested method of using an email address to sign up and then making people check their inbox and click a verification link.. which is just manually doing what OpenID does.

Wikipedia is less anonymous if your not logged in as it publishes your IP address as an identifier with contributions you make.